ClawHub
Back to skill
v1.0.0

Otaku Wiki

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This skill appears to do what it claims: run a local Python helper to query AniList for anime, character, and staff information, with no credentials, persistence, or hidden data handling evident.

GuidanceThis looks safe for normal anime/wiki lookup use. Be aware that it runs a bundled Python script and sends your search terms to AniList; make sure python3 is available because the registry metadata does not fully declare that requirement.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
exec:运行 {baseDir}/anilist_cli.py(默认联网)

The skill intentionally gives the agent an exec-based workflow to run the bundled helper script. This is narrow and aligned with the lookup purpose, but it is still local command execution.

User impactThe agent may run a local Python command when answering anime or character questions.
RecommendationInstall only if you are comfortable with the agent running this bundled Python lookup script.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
metadata: {"moltbot":{"emoji":"📚","requires":{"bins":["python3"]}}}

SKILL.md declares a python3 requirement and the documented commands use python3, while the registry requirement section lists no required binaries. This is a metadata completeness issue rather than evidence of unsafe behavior.

User impactThe skill may not work unless python3 is available, even though the registry requirements say no binaries are required.
RecommendationEnsure python3 is installed before use; the publisher should align registry requirements with SKILL.md.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
anilist_cli.py
ANILIST_GQL = "https://graphql.anilist.co"

The helper sends lookup queries to AniList’s external GraphQL endpoint. This is expected for the stated no-database AniList lookup purpose.

User impactAnime, character, or staff search terms entered by the user may be sent to AniList.
RecommendationAvoid using private or sensitive text as search terms if you do not want it sent to AniList.